08 Dec

Not Really a WordPress Plugin Vulnerability – Week of December 8, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Directory Traversal Vulnerability in WooCommerce

A lot of reports of vulnerabilities that turn out to be false at least seem to have a valid basis, but occasionally you have truly strange ones. The claim of a directory traversal vulnerability in WooCommerce falls into the latter category. The claim made is:

Identifying woo commerce theme pluging properly sanitized against Directory Traversal,even the latest version of WordPress with woocommerce can be vulnerable.

Directory traversal refers to the ability to move outside of a specified directory, it isn’t a vulnerability on its own, just something that could be a piece of a vulnerability. An example of where that could come in to play as a vulnerability would be if you had code that allows downloading files from a particular directory and directory traversal could be used to download files outside of it.

The proof of concept included with the claim simply makes a request to the URL /wp-content/plugins/woocommerce/templates/emails/plain/. If you were to take a look at the latest version of WooCommerce you would see that in that directory there is no index file that would be served when requesting that, so there couldn’t be any code running for there to be directory traversal. There isn’t anything in the proof of concept code that shows an attempt to do anything related to directory traversal either.

What looks to be going on here is that the person behind this thinks that seeing a list of the files in the directory, if a server is configured to do that when there isn’t an index file, would be a vulnerability here. On the same vulnerability database we saw their claim of a directory traversal vulnerability they had submitted a Google dork for “intext:/wp-content/plugins/woocommerce/templates/emails/plain/” and wrote:

When you dork with this,it will generate juciy information in parent directory , for best practice filter according to the country .

That isn’t true though. You should already know what the files that are that directory since the directory shouldn’t contain files that don’t come with the plugin (custom template files would be located in theme being used not in the plugins directory structure).

Somehow, despite the issue being claimed here not actually being a vulnerability on in its own, this has been assigned a CVE number.